[jira] [Created] (MDEP-891) Used undeclared dependencies found for class which is used by and indirect class

Mon, 30 Oct 2023 11:06:04 -0700 

Karl Heinz Marbaise created MDEP-891:
----------------------------------------

             Summary: Used undeclared dependencies found for class which is 
used by and indirect class
                 Key: MDEP-891
                 URL: https://issues.apache.org/jira/browse/MDEP-891
             Project: Maven Dependency Plugin
          Issue Type: Bug
          Components: analyze-only
    Affects Versions: 3.6.1, 3.6.0
            Reporter: Karl Heinz Marbaise
             Fix For: waiting-for-feedback
         Attachments: SO-mvn-question-main.zip

Based on an example described on 
[StackOverflow|https://stackoverflow.com/questions/77360885/maven-dependency-plugin-3-6-started-to-find-new-used-undeclared-dependencies]
 with the example project https://github.com/DmitryTen/SO-mvn-question which 
can be used as reproducer (attached that example to the issue).

The failure starts happening with {{Maven Dependency Plugin:3.6.0}}:
{code}
[INFO] --- dependency:3.6.0:analyze-only (analyze-dependencies) @ test ---
[ERROR] Used undeclared dependencies found:
[ERROR]    org.springframework:spring-web:jar:5.3.5:compile
[INFO] -----------------------------------------------------------------
{code}
If we change the version of the plugin to 3.5.0:
{code}
[INFO] --- dependency:3.5.0:analyze-only (analyze-dependencies) @ test ---
[INFO] No dependency problems found
[INFO] Copying org.example:test:pom:1.0-SNAPSHOT to project local repository
[INFO] Copying org.example:test:jar:1.0-SNAPSHOT to project local repository
[INFO] Copying org.example:test:pom:consumer:1.0-SNAPSHOT to project local 
repository
[INFO] 
----------------------------------------------------------------------------------
{code}

After a bit more diving into it, it looks like the upgrade of the 
{{maven-dependency-analyzer:1.3.2}} in release 3.6.0 of the 
{{maven-dependency-plugin}} 
(https://issues.apache.org/jira/projects/MDEP/versions/12352921) caused that 
issue. If I use an older version of {{maven-dependency-plugin}}  for example 
3.5.0 and upgrade there the {{maven-dependency-analyzer:1.3.1}} it will fail 
with the same output. The version {{maven-dependency-analyzer:1.3.0}} will work 
fine.

I have taken a look into the code of the classes:

The class {{StandaloneVaultConfig}} which is created in the example project 
uses {{AppRoleAuthentication}} which is part of 
{{org.springframework.vault:spring-vault-core}}. The usage of classes from 
{{org.springframework:spring-web:jar:5.3.5:compile}} happening in the class 
{{AppRoleAuthentication}}. 




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to